The Cyber Resilience Act does not have geographical exemptions. A connected sensor manufactured in Jakarta faces the same documentation requirements as one made in Munich. Article 2(1) applies to any product with digital elements placed on the EU market — a direct or indirect data connection to a device or network is sufficient. If your IoT devices contain firmware, connect via WiFi, Bluetooth, LoRa, or cellular, and reach EU buyers through any channel, you need an Annex VII dossier. CRACheck generates 8 documents in 15–25 minutes. €149 per device type. All processing happens in your browser.
€149 one-time · 8-document ZIP · 15–25 minutes · Browser-side
You enter your product data. CRACheck structures the documentation per Article 31 + Annex VII.
Regulation (EU) 2024/2847 applies based on product type, not company size. A connected sensor from a 20-person company in Manila faces the same essential cybersecurity requirements (Annex I) as one from a multinational. Article 13 does not scale obligations by company revenue. The regulation applies equally to all manufacturers who place products with digital elements on the EU market.
Article 2(1) covers products made available on the EU market through any channel. B2B sales to EU-based integrators, distributors, or OEMs are within scope. Your IoT sensor sold to a European smart building integrator is placed on the EU market at the point of that B2B transaction.
The CRA does not set minimum product value thresholds. A €5 connected sensor with firmware has the same documentation obligations as a €500 gateway. The proportionality principle applies to penalty calculation (Art. 64(6) considers the size of the undertaking), not to documentation obligations.
8 PDF documents generated from your data. Each cites the specific article of Regulation (EU) 2024/2847 it complies with.
Evaluates your IoT device against Annex III categories. IoT gateways may qualify as network management systems (Class I, item 6). Sensors with security functions may match other categories. Default devices use Module A self-assessment.
Art. 31 + Annex VII dossier for your IoT device: hardware and firmware design, connectivity, security architecture, production controls.
Annex I Part I analysis for IoT devices: remote exploitation, data interception, firmware tampering, battery-powered device constraints on security updates.
Annex II documentation: deployment guide, security configuration, update instructions, data handling transparency, support period, end-of-life procedure.
Art. 28 + Annex V. Your EU buyer needs this before market placement.
Vulnerability disclosure for IoT devices: reporting channel, acknowledgement timelines, patch distribution, coordination with downstream users.
Art. 14 ENISA notification for actively exploited vulnerabilities in your IoT devices. Art. 14(2): early warning within 24h, notification within 72h, final report within 14 days.
Enforcement timeline, support period, update milestones.
Mira antes de comprar — Descargar dossier de muestra (PDF, empresa ficticia) — Estructura real, artículos reales, formato real. Datos ficticios.
Generated from your data, in your browser. No data leaves your device.
CRACheck generates the cybersecurity technical file required by Art. 31 for your IoT device. Classifies the device, maps its security properties, and produces 8 PDFs. This documentation is what stands between your product and the EU market after December 2027.
CRACheck does not design your device's firmware security, implement encryption on constrained IoT hardware, or build OTA update mechanisms for low-power devices. Those are engineering decisions. CRACheck documents the cybersecurity properties of the device you have built.
Start with what you have. The documentation process reveals gaps. Fix the gaps, regenerate the dossier. €149 covers 10 regenerations.
Article 64 of Regulation (EU) 2024/2847.
Annex I + Art. 13/14.
Art. 28, 31, 32.
Misleading information.
| Criterion | International Consultant | Trade Association Guide | Self-Research from Regulation | CRACheck |
|---|---|---|---|---|
| Time per device | 6–14 weeks | 2–4 weeks (generic) | Weeks of reading + drafting | 15–25 minutes |
| Cost | $8,000–$18,000 | Association fees | Staff time | €149 |
| Accessibility from SEA | Limited availability | English-language barriers | 81-page EU regulation | Browser-based, any location |
| Annex VII structure | Consultant format | Generic template | Self-interpreted | Standardised per Annex VII |
Each IoT device type with distinct firmware and connectivity needs its own dossier. Volume pricing: €99/device (pack 10), €79/device (pack 30).
Request Volume PricingCRACheck generates a structured document aligned with Article 31 and Annex VII of Regulation (EU) 2024/2847 based on your device data. The accuracy is your responsibility as manufacturer.
We guarantee the structure follows Art. 31 + Annex VII and legal references are correct. We do not guarantee acceptance by an EU authority in a specific case.
CRACheck is not legal advice. For EU market access strategy, authorised representative needs, or importer coordination, consult a regulatory attorney.
Eight documents. Article 31 + Annex VII fully structured. Regulation (EU) 2024/2847. Your data stays on your device. The ZIP you download is yours forever.